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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address ~ 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the maDing date of this communication. 
• Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 

Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1)S Responsive to communication^) filed on 5/1 &05 . 
2a)D This action is FINAL. 2b)03 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1 935 CD. 1 1 , 453 O.G. 21 3. 

Disposition of Claims 

4) E3 Claim(s) 7,3-77 and 19-32 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1. 4-17. 20-32 is/are rejected. 

7) E3 Claim(s) 3 and 19 is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 12 June 2001 is/are: a)^ accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1. Claims 1, 3-17 and 19-32 are pending in this application. 



Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1. 17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1 17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 4/12/05 has been entered. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1,3-17 and 19-32 have been considered but 
are moot in view of the new ground(s) of rejection. 

Allowable Subject Matter 

4. Claims 3 and 19 are objected to as being dependent upon a rejected base claim, but would 
be allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 



Application/Control Number: 09/880,231 
Art Unit: 2194 



Page 3 



Claim Rejections - 35 USC §103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

6. Claims 1, 3-17 and 19-32 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Schnurer et al (hereafter Schnurer) (U.S. Patent 5,842,002), in view of Nachenberg (U.S. Patent 
6,357,008). 

7. Schnurer was cited in the last office action. 

8. As to claim 1, Schnurer teaches the invention substantially as claimed including a 
computer-implemented method for executing an untrusted program [abstract, lines 1-2], 
comprising: 

establishing a limited environment within a general environment [col. 6, lines 56-58; 
Figs. 3 and 4], wherein said limited environment comprises one or more mock resources 
[col. 4, lines 16-20, 22-26 and 47-49; col. 7, lines 3-8], wherein said general environment 
comprises one or more real resources [col. 4, lines 24-25; col. 7, lines 15-18], wherein 
programs executing within said limited environment cannot access the one or more real 
resources in said general environment [abstract; col. 5, lines 5-10; col. 7, lines 15-18]; 
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executing at least a portion of an untrusted program within said limited environment [col. 
7, lines 5-12]; and examining said limited environment after execution of at least said 
portion of said untrusted program to check for undesirable behavior exhibited by said 
untrusted program [col. 4, lines 32-36; col. 7, lines 12-15; 48, 50, 52, Fig. 1]. 

9. Schnurer does not specifically teach wherein said limited environment and said general 
environment are both provided by the same operating system. However, Schnurer disclosed 
trapping device within a network environment [col. 6, lines 56-58; Fig. 3 and 4]. In addition, 
Nachenberg teaches an antivirus program that includes a decryption, exploration and evaluation 
phases/modules causing a CPU emulator with virtual memory to simulate untrusted 
programs/instructions [Nachenberg, col. 1, lines 16-20; col. 5, lines 27-40; col. 6, lines 52-58; col. 
7, line 31 -col. 8, line 47]. 

10. It would have been obvious to one of an ordinary skill in the art at the time the invention 
was made, to have combined the teaching of Schnurer with the teaching of Nachenberg by 
implementing the limited environment in the same machine as the general environment if the 
limited environment is limited to protect a specific machine and to have an operating system 
within the machine providing both environments for the same reason (i.e. an antivirus program 
running under an operating system protecting other programs/hardware/real resources running 
under the same operating system). 
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11. As to claim 4, Schnurer as modified teaches the invention substantially as claimed 
including wherein examining said limited environment comprises: determining whether a mock 
resource has been deleted [col 4, lines 37-39; col. 7, lines 12-15; Nachenberg, col. 9, line 44]. 
Schnurer as modified does not specifically teach a particular mock resource. However, Schnurer 
disclosed if anything within the environment changes, is a sign of a virus [col. 7, lines 48-52], 
and Nachenberg disclosed signature scanning of known viruses [Nachenberg, col. 1, lines 22- 
45]. It would have been obvious to one of an ordinary skill in the art at the time the invention 
was made, to have recognized that a deletion of a particular file such as a system file is an 
obvious sign of a virus (i.e. deletion of a particular system file that would cause instability to the 
operating system). 



12. As to claims 5-7, these claims are rejected for the same reason as claim 4 above. In 
addition, Schnurer as modified teaches mock resource has been renamed or moved [Nachenberg, 
col. 9, lines 47-49], or altered [col. 7, line 48 to col. 8, line 26; Nachenberg, col. 9, lines 54-55]. 

13. , As to claim 8, Schnurer as modified teaches the invention substantially as claimed 
including wherein said mock resource has a parameter associated therewith which changes when 
said mock resource is altered, and wherein determining whether said mock resource has been 
altered, comprises: 

determining whether said parameter has changed [col. 7, line 48 to col. 8, line 26]. 
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14. As to claim 9, Schnurer as modified does not specifically teach the step of determining 
whether said mock resource has been last updated. However, Schnurer disclosed that his system 
could detect any malicious act by the virus, including the activities of changing the FAT table 
and changing of the error checking algorithm [col. 7, lines 59-60; col. 8, lines 25-26; col. 4, lines 
37-39]. It would have been obvious to one of an ordinary skill in the art at the time the invention 
was made, to have recognized that common viral activities or critical behaviors exhibited by 
viruses would have included the updating of system resources as being considered and 
implemented in Schnurer et al's method of virus detection. 

15. As to claim 10, this claim is rejected for the same reason as claim 4 above. In addition, 
Schnurer as modified teaches the invention substantially as claimed including wherein 
examining said mock environment comprises: 

determining whether said mock resource has been accessed [col. 7, line 48 to col. 8, line 26]. 

16. As to claim 1 1, Schnurer as modified does not specifically teach wherein said mock 
resource contains one or more sets of content, and searching a particular portion of memory for 
at least one of said one or more sets of content. It is well known in the art that when a file gets 
accessed or altered, traces of the contents being accessed is located in the memory, in addition, 
Schnurer disclosed the determination of potential viral activities by examining "if anything 
within the environment changes. . [col. 7, line 48 to col. 8, line 26]. 
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17. As to claim 12, Schnurer as modified teaches the invention substantially as claimed 
including providing information indicating behavior exhibited by said untrusted program [col. 7, 
line 25 to col. 8, line 26]. 

18. As to claims 13 and 14, Schnurer as modified teaches the invention substantially as 
claimed including wherein said information comprises indications of undesirable behavior 
exhibited by said untrusted program [col. 7, lines 48-52], and in response to a determination that 
said untrusted program has exhibited undesirable behavior, taking corrective action [col. 8, lines 
27-35; 52, Fig. 1]. 

19. As to claims 15 and 16, Schnurer as modified teaches the invention substantially as 
claimed including wherein taking corrective action comprises: deleting said untrusted program 
and warning to a user [col. 8, lines 27-35; 52, Fig. 1]. 

20. As to claims 17 and 20-32, these are system claims that correspond to the method claims 
1 and 4-16. Therefore, they are rejected for the same reason as claims 1 and 4-16 above. 

21 . The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

U.S. Patent No. 6,192,512 to Chess, and U.S. PGPub. 20020073323 to Jordan teach 
running untrusted program in simulated environment. 
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22. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Qing-Yuan Wu whose telephone number is (571) 272-3776. The 
examiner can normally be reached on 8:30am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Meng-Ai An can be reached on (571) 272-3756. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Qing-Yuan Wu 



Examiner 
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